From 592f2a25176f85385170e0f96e9bc6c6827d1a2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20Fredrik=20Ki=C3=A6r?=
 <31612826+anders-kiaer@users.noreply.github.com>
Date: Wed, 22 Jan 2020 09:20:17 +0000
Subject: [PATCH] frame-src csp self (#179)

---
 webviz_config/_theme_class.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/webviz_config/_theme_class.py b/webviz_config/_theme_class.py
index d6aac12a..2a1526f7 100644
--- a/webviz_config/_theme_class.py
+++ b/webviz_config/_theme_class.py
@@ -23,8 +23,8 @@ def __init__(self, theme_name):
             "navigate-to": "'self'",
             "base-uri": "'self'",
             "form-action": "'self'",
-            "frame-ancestors": "'none'",
-            "child-src": "'none'",
+            "frame-ancestors": "'self'",  # [3]
+            "frame-src": "'self'",  # [3]
             "object-src": "'self'",
             "plugin-types": "application/pdf",
         }
@@ -34,6 +34,9 @@ def __init__(self, theme_name):
             [1] unsafe-inline for style still needed by plotly
                 (https://github.com/plotly/plotly.js/issues/2355)
             [2] https://github.com/plotly/dash/issues/630
+            [3] We use 'self' instead of 'none' due to what looks like a Chromium bug,
+                where e.g. pdf's included using <embed> is not rendered. Might be
+                related to https://bugs.chromium.org/p/chromium/issues/detail?id=1002610
         """
 
         self._feature_policy = {